DRAFT: POLICY PAPER ON

REGULATORY FRAMEWORK
FOR MOBILE BANKING
IN PAKISTAN

Banking Policy & Regulations Department

State Bank of Pakistan
Aims to serve as Table of Contents
the starting point
for a more
elaborate EXECUTIVE SUMMARY ..................................................................................................... 1
discussion on the INTRODUCTION................................................................................................................... 2
issue, this Policy
Paper presents BRIEF OVERVIEW OF THE MODELS OF BRANCHLESS BANKING....................... 2
our draft BANK-FOCUSED MODEL ....................................................................................................... 2
recommendations BANK-LED MODEL................................................................................................................ 2
for modifications NONBANK-LED MODEL ......................................................................................................... 3
in the regulatory RISKS INVOLVED ................................................................................................................ 4
environment to
facilitate AGENTS RELATED RISKS ....................................................................................................... 4
branchless/mobile E-MONEY RISKS ................................................................................................................... 4
banking as a mean LEGAL & REGULATORY ISSUES: ................................................................................... 5
to extend financial
EXISTING REGULATORY FRAMEWORK FOR FINANCIAL SECTOR IN PAKISTAN ...................... 5
services outreach ISSUES FOR FINANCIAL SECTOR REGULATORS: ..................................................................... 5
to poor and under- Are consumers adequately protected? ............................................................................. 5
served strata of How do m-payments affect the stability of the banking system and national payment
the society in an system?............................................................................................................................. 6
efficient and cost Does the law distinguish adequately between payments and deposits?........................... 6
effective manner. Does the law provide for e-money issuance? By which entities?..................................... 6
Comments and Is there provision for agencies for cash withdrawal and deposits?................................. 7
suggestions are How do AML/CFT regulations affect account opening and cash transactions? ............. 7
welcome. Please MODELS OF BRANCHLESS BANKING AND REGULATORY ISSUES ........................................... 7
Bank-Focused Model:...................................................................................................... 7
email comments to
Bank-Led Model: ............................................................................................................. 8
ali.asad@sbp.org.pk
Nonbank-Led Model: ..................................................................................................... 10
or
javaid.ismail@sbp.org.pk SPECIFIC CHANGES NEEDED IN EXISTING REGULATIONS .................................................... 10
Banking Companies Ordinance 1962 (BCO)................................................................. 10
Prudential Regulations .................................................................................................. 11
ROADMAP FOR EXTENDING FINANCIAL SERVICES OUTREACH ..................... 13
CONCLUSION...................................................................................................................... 13
Banking Policy REFERENCES ...................................................................................................................... 14
& Regulations APPENDICES ....................................................................................................................... 15
Department
APPENDIX 1: BANKING RISKS RELEVANT TO AGENT-ASSISTED BRANCHLESS BANKING
MODELS. ............................................................................................................................. 15
State Bank of APPENDIX 2: BALANCING AML/CFT/CUSTOMER IDENTIFICATION REQUIREMENTS AND
Pakistan ACCESS TO FINANCIAL SERVICES FOR THE POOR. ............................................................... 17
 DRAFT: POLICY PAPER ON REGULATORY FRAMEWORK FOR MOBILE BANKING IN PAKISTAN

Executive Summary
Branchless/mobile banking models provide efficient and cost effective ways to extend financial
service outreach to the un-banked communities. Provision of enabling regulatory environment by
careful risk-reward balancing is necessary to use such models. These models can be classified into
three broad categories – Bank-Focused, Bank-Led and Nonbank-Led. Bank-focused model use
non-traditional low-cost alternate delivery channels (ADCs) to provide banking services to existing
banking customers. Examples include automatic teller machines (ATMs), internet banking, mobile
phone banking etc. Other Models offer a significantly cheaper alternative to conventional branch-
based banking by using delivery channels like retail agents, mobile phone etc. and can be used to
substantially increase the financial services outreach These models can be bank-led (where customer
account relationship rest with the bank and nonbank serves as the delivery channel) or Non-bank Led
(where Bank does not come in picture and the Non-Bank/Telco performs all the functions).
Risks Involved in branchless banking can be broadly classified into Agent-Related and E-Money
Risks. Agents Related Risks are common to all transformational models and arise from substantial
outsourcing of customer contact to retail agents, who may be operating in hard-to reach or dangerous
areas, lack physical security systems and specially trained personnel. When retail agents are used to
provide banking services, five of typical banking risk categories—credit, operational, legal, liquidity
and reputational—take on special importance beside elevated concerns regarding consumer protection
and compliance with rules for AML/CFT. E-Money Risks are typical to Nonbank-Led model and
relate to imprudent management of repayable deposits collected from retail customers by Non-bank
entities that are not subjected to prudential regulation and supervision.
Regulatory issues, from a financial regulator’s perspective, concerning mobile banking are related to
consumer protection, effect of m-banking on stability of banking & payment systems, legal definition
of deposit, e-money regulations, provisions for agency agreements and AML/CFT laws.
Bank-Focused model signify use of ADCs by banks as a cheap and convenient way to provide
banking services to their existing customers. This model can be used within existing regulatory frame
work and many banks have already started using it in varied extent.
Bank-Led (including JV based) Model is prone to agent-related risks. These risks can be mitigated
by making banks fully liable for actions of their agents and by giving regulators power to review
agents’ record of bank-related transactions. “Guidelines for Mobile Banking” covering various
aspects of this model may be issued for the purpose. Risk-based approach to Customer Due Diligence
(CDD) should be used to unleash true potential of this model.
As regards Nonbank-Led Model, the non-banks in Pakistan are subject to less stringent regulations
which may lead to significant risks w.r.t transaction security, documentation and AML/CFT beside e-
money related risks. For these reasons, Nonbank-Led model may only be allowed at a later stage after
we have sufficient experience in mitigating agent related risks using bank led model and need to think
about mitigating e-money related risks only. At that stage we may do so by making regulatory
changes giving these entities special status of some sort of quasi-bank/remittance agent etc. requiring
them to meet pre-specified standards of transparency, financial strength and liquidity and to follow
certain activity guidelines.
A careful, step-by-step approach, starting from basic bank led models and gradually adding more
activities as experience matures is the best approach.

SBP 1 BPRD
 DRAFT: POLICY PAPER ON REGULATORY FRAMEWORK FOR MOBILE BANKING IN PAKISTAN

Introduction
Extending the outreach of financial services to the un-banked/underserved/areas and people -
belonging mostly to the low income strata of the society - in a cost effective manner is viewed as
a big step towards poverty alleviation. Emerging advances in information and communication
technologies and their widespread usage offer tremendous opportunity to achieve this much
desired goal by making available non-traditional ways of providing financial services. However
these alternate delivery channels should be looked into prudently and adopted only after careful
balancing of risks and rewards. As regulators our role is not to try to eliminate these risks, but to
balance them appropriately with the benefits of using these new channels and to create an
enabling regulatory environment where new technologies are put to use on the efficient frontiers
of the risk-return tradeoff.

This Policy Paper presents a brief overview of various models of mobile/branchless banking
followed by a discussion of the risks attached to each model and finally, an analysis – from a
financial regulator’s perspective - of the regulatory issues and required changes in regulations to
implement these models. For preparing this paper we used information from several studies
conducted on other countries’ experiences with mobile banking and websites of existing mobile
banking services providers in those countries besides data from SPB payment systems
department, banking laws, regulations & policies, and other sources.

Brief Overview of the Models of Branchless Banking

Branchless banking represents a new distribution channel that allows financial institutions and
other commercial actors to offer financial services outside traditional bank premises. A wide
spectrum of branchless banking models is evolving. These models differ primarily on the
question that who will establish the relationship (account opening, deposit taking, lending etc.) to
the end-customer, the Bank or the Non-Bank/Telecommunication Company (Telco). Another
difference lies in the nature of agency agreement between bank and the Non-Bank. Models of
branchless banking can be classified into three broad categories - Bank Focused, Bank-Led and
Nonbank-Led.

Bank-Focused Model emerges when a traditional bank uses non-traditional low-cost

delivery channels to provide banking services to its existing customers. Examples range from use
of automatic teller machines (ATMs) to internet banking or mobile phone banking to provide
certain limited banking services to banks’ customers. This model is additive in nature and can be
seen as modest extension of conventional branch-based banking.

Bank-Led Model offers a distinct alternative to conventional branch-based banking in that

customer conducts financial transactions at a whole range of retail agents (or through mobile
phone) instead of at bank branches or through bank employees. This model promises the potential
to substantially increase the financial services outreach by using a different delivery channel
(retailers/ mobile phones), a different trade partner (Telco / Chain Store) having experience and
target market distinct from traditional banks, and may be significantly cheaper than the bank
based alternatives. Bank led model may be implemented by either using correspondent

SBP 2 BPRD
 DRAFT: POLICY PAPER ON REGULATORY FRAMEWORK FOR MOBILE BANKING IN PAKISTAN

arrangements or by creating a JV between Bank and Telco/non-bank. In this model customer

account relationship rests with the bank

Nonbank-Led Model is where bank does not come in picture (except possibly as a safe-
keeper of surplus funds) and the Non-Bank/Telco performs all the functions.

Both Bank-Led and Nonbank-Led models are transformational in scope but the former is much
less risky. Table 1 summarizes various models of branchless banking.

Table 1: Models of Branchless Banking

Model Bank Bank Led / Bank-Led/ Nonbank Led
Focused Banking Agents Joint Venture

Scope Additive Transformational Transformational Transformational

Account Bank Bank Bank Telco/ NB
Cash in /out Bank Bank/ NB Bank/NB Telco/ NB
Brand Bank Bank / Joint Joint /non-bank Telco/NB
or telco
Access points Bank Bank Bank + Telco + other
alternative
Carrier/ Any Any/Telco Telco Telco
Gateway
Examples MNet/ Brazilian model2 MTN Mobile Globe5; Celpay
1Link, of “Banking Money3, Wizzit4 6
(Zambia)
Other SMS Correspondents” (South Africa)
Banking1
Services

1
In Pakistan ATM banking has taken off by two interlinked switches. Many banks also offer limited banking
services like balance enquiry, mini-statement etc over mobile phone and restricted fund-transfer over internet.
2
In Brazil, private and state-owned banks deliver financial services through retail agents including small
supermarkets and pharmacies, post offices, and lottery kiosks (Kumar et al. 2006).
3
MTN Banking of South Africa is joint venture between Standard Bank and MTN Mobile offering the MobileMoney
account which gives customer access to limited banking facilities, using Wap enabled cellphone.
(http://www.mtnbanking.co.za/)
4
WIZZIT is a cellphone-based banking facility provider operating as a division of South African Bank of Athens. It
does not require users to have a prior bank account and is compatible with early generation cell phones popular in
low-income communities. In addition to being able to conduct cellphone-to-cellphone transactions, WIZZIT account
holders are issued Maestro debit cards that can be used at any ATM or retailer. WIZZIT charges per-transaction fees
that range from 99c (USD 0.15) to R4.99 (USD 0.78) and does not charge a monthly fee nor require a minimum
balance. There are no transaction limitations - the service is purely pay-as-you-go.
(http://www.nextbillion.net/activitycapsule/wizzit)
5
In Philippine, Globe Telecom’s G-Cash service is an e-money account tied to a mobile phone subscriber
information module (SIM card). The account can be loaded and unloaded by depositing or withdrawing cash at a

SBP 3 BPRD
 DRAFT: POLICY PAPER ON REGULATORY FRAMEWORK FOR MOBILE BANKING IN PAKISTAN

Model Bank Bank Led / Bank-Led/ Nonbank Led

Focused Banking Agents Joint Venture
Features Minimum Low risk, high Increased Increased
new risks potential to network security network security
increase access to
unbanked.

Risks Involved7 in branchless banking can be broadly classified into Agent-Related and
E-Money Risks.

Agents Related Risks arise from substantial outsourcing of customer contact to retail
agents. From a typical banking regulator’s perspective, entrusting retail customer contact to the
types of retail agents used in both the bank-led and nonbank-led models would seem riskier than
these same functions in the hands of bank tellers in a conventional bank branch. These retail
agents may operate in hard-to reach or dangerous areas & they lack physical security systems and
specially trained personnel. The lack of expert training may seem a particular problem if retail
agents’ functions range beyond the cash-in/cash-out transactions of typical bank tellers to include
a role in credit decisions.

Banking regulation typically recognizes multiple categories of risk that bank regulators and
supervisors seek to mitigate. Five of these risk categories—credit risk, operational risk, legal risk,
liquidity risk, and reputation risk—take on special importance when customers use retail agents
rather than bank branches to access banking services. The use of retail agents also potentially
raises special concerns regarding consumer protection and compliance with rules for combating
money laundering and financing of terrorism. These Risks are further explained in Appendix - 1.

E-Money Risks relates to acceptance of repayable funds from retail customers by Non-Bank
entities that are not subjected to prudential regulation and supervision. Risk is that an unlicensed,
unsupervised Non-Bank will collect repayable funds from the public in exchange for e-money
and will either steal these funds or will use them imprudently, resulting in insolvency and the
inability to honor customers’ claims.

wide range of retail agents and the mobile operator’s own dealers. Customers can store cash (in the form of e-
money), send funds from person to person, pay bills and make loan repayments, and purchase goods at shops using
the e-money value in their G-Cash accounts. (Lyman et al., 2006)
6
Celpay, allows registered customers to use their cell phones for merchant transactions, monthly bill payments, and
fund transfer between participating phones using a secure SIM card, adding a menu to their cellphones that facilitates
the payments and providing access to their Celpay accounts. Money can be added to Celpay accounts via transfers
from a bank account, or by depositing cash or a check at a participating Celpay partner bank. Transfers made using
Celpay are free to the payer, while the payee is charged a small fee for each transaction. Celpay, recently purchased
by South African FirstRand bank, is currently functioning in Zambia and the Democratic Republic of Congo (DRC).
(http://www.nextbillion.net/activitycapsule/1873)
7
Lyman et al. 2006

SBP 4 BPRD
 DRAFT: POLICY PAPER ON REGULATORY FRAMEWORK FOR MOBILE BANKING IN PAKISTAN

Legal & Regulatory Issues:

Existing Regulatory Framework for Financial Sector in Pakistan
Under the prevalent legislative structure the supervisory responsibilities in case of Banks,
Development Finance Institutions (DFIs), and Microfinance Banks (MFBs) fall within legal
ambit of State Bank of Pakistan while the rest of the financial institutions8 are monitored by other
authorities such as Securities and Exchange Commission.

Banking Companies Ordinance, 1962 (BCO) and the State Bank of Pakistan Act, 1956 (SBP Act)
provide the main legal structure under which the banking system of Pakistan operates9. Banking
Companies are licensed under section 27 of BCO and in terms of the Licensing Criteria for
Commercial Banks. Once licensed, banks are scheduled under section 37 (2) of SBP Act after
they meet strict requirements of capital adequacy, cash and liquid reserves maintenance,
transactional record keeping, and upholding financial and managerial discipline. They are also
required to establish internal control, internal audit and compliance systems. Banks are under
vigilant supervision by SBP and are required to follow the guidelines/rules/regulations issued by
it in letter and spirit or be ready to face severe penalties (upto the extent of a change of
management or winding up of business). In return, they are allowed to take deposits for the
purpose of lending or investment and can avail SBP discount window, lender of last resort
facilities etc. In addition, SBP also licenses Microfinance Banks under the Microfinance
Institutions Ordinance (2000-2001) in terms of the licensing criteria for micro-finance banks.
Commercial Banks are also allowed to undertake microfinance banking activities through a range
of options for conducting the microfinance business. Further, SBP is also looking out for options
for introducing Islamic Microfinance by banks.

Issues for Financial Sector regulators:

While attempting to increase financial services outreach, regulators need to think over many
issues. In a report commissioned by Department for International Development (DFID),
Porteous10 very neatly summarizes issues for financial regulators concerning mobile banking in
the form of 6 questions. Here we first discuss these questions in the context of Pakistan and then
discuss our regulatory environment with specific reference to various models of branchless
banking.

Are consumers adequately protected?

Appropriate consumer protection against risks of fraud, loss of privacy and even loss of service is
needed for establishing trust among consumers which is the single most necessary ingredient for
growth of m-banking. These risks increase when agents are involved and reach to a maximum in
Nonbank-led model. As we will be dealing with a large number of first time customers with low

8
Non-banking Finance Companies (NBFCs) (leasing companies, Investment Banks, Discount Houses, Housing
Finance Companies, Venture Capital Companies, Mutual Funds), Modarabas, Stock Exchange and Insurance
Companies.
9
There are other laws applicable to certain financial institutions or groups of institutions, like Bank Nationalization
Act,1974, Microfinance Institutions Ordinance, 2001, etc.
10
Porteous D. 2006

SBP 5 BPRD
 DRAFT: POLICY PAPER ON REGULATORY FRAMEWORK FOR MOBILE BANKING IN PAKISTAN

financial literacy the risks become even higher. These risks can be mitigated by entering into
mobile banking activities through known, already regulated players (banks) and by issuing
adequate guidelines regarding privacy protection, network security and complaint redressal.

How do m-payments affect the stability of the banking system and national
payment system?
Soundness and stability of the banking system and national payment system are central to our
mandate as financial regulator of the country. However, the question whether or not mobile
banking, particularly at its initial stage, becomes a systemically important payment system, needs
deliberations. Answer to this question helps in determining the timing and extent of applicability
of Core Principals for Systemically Important Payment Systems to mobile banking.

Does the law distinguish adequately between payments and deposits?

BCO 62 defines deposits implicitly in the definition of ‘Banking’11 and further while explaining
section 2712. Under existing law, it is the purpose (for investment or borrowing) and not the mode
of payment (cash or electronic) that defines deposit. The proposed Draft Banking Act 2006 does
contain a more comprehensive definition of deposit.

Does the law provide for e-money issuance? By which entities?

Issuance of e-Money13 is included in the permissible banking activities in the proposed Banking
Act 2006 (though the act does not define e-money). Electronic Transaction Ordinance, 2001
permits14 an appropriate authority to provide for or accept payment in electronic form. The
Electronic Fund Transfer and Payment System Act is yet to be enacted in Pakistan to frame a
relevant legal structure.

11
BCO 62 defines banking to mean “the accepting, for the purpose of lending or investment, of deposits of money
from the public, repayable on demand or otherwise, and withdrawable by cheque, draft, and order or otherwise.”
12
“deposits of money” shall be deemed to include money called, invited or collected for the purpose, or declared
object, of investment or borrowing in any business carried on, or proposed to be carried on, by the company, firm or
person by whom, or on whose behalf, such money is called, invited, collected or received irrespective of the nature of
the relationship, arrangement or terms offered or provided by such company, firm or person to the person making the
investment, deposits of money or payment or of the basis or understanding or which the money is so called, invited,
collected or received. (Explanation – Section 27A, BCO 1962)
13
E-money, according to the Basel Committee’s definition, is “a stored value or prepaid product in which a record of
the funds or value available to the consumer for multipurpose use is stored on an electronic device in the consumer’s
possession.” A legal definition of electronic money is included in Article 1 of European Parliament and Council
Directive 2000/46/EC (OJ L 275 of 27 October 2000, pp 39-43). The definition states that “electronic money shall
mean monetary value as represented by a claim on the issuer which is: (i) stored on an electronic device; (ii) issued
on receipt of funds of an amount not less in value than the monetary value issued; (iii) accepted as means of payment
by undertakings other than the issuer”. (Bank for International Settlements 2004).
14
Section 16(2)(c)(iii), Electronic Transaction Ordinance, 2001.

SBP 6 BPRD
 DRAFT: POLICY PAPER ON REGULATORY FRAMEWORK FOR MOBILE BANKING IN PAKISTAN

Is there provision for agencies for cash withdrawal and deposits?

There is no clear provision for agencies for cash withdrawal and deposits under existing law.
However, BCO, 196215 permits banks to pay commission to a cashier-contractor. The term
cashier-contractor is not defined, but it may be interpreted as permission to enter into agency
agreement with third parties regarding handling money on behalf of the bank. We may issue
certain guidelines for such agency arrangements. An alternate arrangement of cash
deposit/withdrawal (person to person mode) which appears permissible under existing legal
framework is discussed in Table 3.

How do AML/CFT regulations affect account opening and cash

transactions?
A risk-based approach should be adapted to customers’ due diligence (CDD) requirements. This
is already in practice for microfinance banking16. Proper guidelines in this regard needs to be
issued.

Models of Branchless Banking and Regulatory Issues

Bank-Focused Model: In this model the technological/physical infrastructure of a mobile
operator / retailer is used to provide some basic banking services like balance enquiry, A/c to A/c
fund transfer, payments for goods / services at merchant outlets using bank account (through
ATM/ Debit card / Phone SMS etc). Most of these services are already being provided by banks
and are covered under existing regulations. So this model poses no specific regulatory issues.
Evidence suggests that this type of activity is already gearing up in Pakistan. Table 2 presents
some indicators in this regard.
Table 2: Growth of Electronic Payments and use of Alternate Delivery Channels in
Pakistan17
Jul-Sep 2005 Jul-Sep 2006
Number of Retail Transactions (000)
Electronic Based 15,611 21,723
Paper Based 66,572 79,677
No of installed ATMs 1,142 1,729
transactions through ATMs 10.58 million valuing 11.4 million valuing Rs.70.3
(99% cash withdrawals) 60.778 billion billion
Funds Transfer through ATMs 31 thousand transactions 43 thousand transactions
valuing Rs.278.72 valuing Rs.1,717 million
million
Online branches 3,030 out of 3,761 out of total 7,462
Total 7077 (43%) (50%)

15
Section 11 (1) (b) (ii) (b) of Banking Companies Ordinance, 1962.
16
Microfinance Institutions are already allowed to extend micro-credit by establishing identity through other
appropriate means in far-flung and remote areas where people, particularly women, don’t have identity cards as per
Prudential Regulation No. 17 for microfinance banks/institutions.
17
Source: Retail Payment Systems of Pakistan, 1st Quarterly Report 2006-2007.

SBP 7 BPRD
 DRAFT: POLICY PAPER ON REGULATORY FRAMEWORK FOR MOBILE BANKING IN PAKISTAN

No of Card Holders (000)

Credit 1,118 1,679
Debit 2,197 3,486
ATM only 18 175 87

Bank-Led Model: In this model, agents like mobile operators and retail outlets (departmental
stores, mobile card sellers, small shop-keepers etc.) generally play a significant role in provision
of banking services to end customers. This model is, therefore, prone to agent-related risks. These
agent-related risks can be mitigated by making banks fully liable for actions of their agents and
by giving regulators power to review agents’ record of bank-related transactions. “Mobile
Banking Guidelines” may be issued for banks. These guidelines should include “Minimum
Requirements for setting up a Grievance Redressal Function”, “Security Requirements for the
transaction processing and recording system (capable of producing an undeniable proof of
transaction in case of any dispute)”, “Risk-Based Customers Due Diligence (CDD)
Requirements” etc. Separate guidelines may also be issued for “Selecting Banking
Correspondents/Agents” for banks who want to take up agent-based mobile banking.

Beauty of this model is that it can be implemented incrementally starting from most basic
activities and gradually adding more and more activities as market participants as well as
regulators become more experienced. An activity-based analysis of regulatory issues and required
changes for broad categories of banking activities is summarized in Table 3.

Table 3: Regulatory issues and required changes - Bank-led & JV-based Models
Function/Role: Performed By: Legal Issues and changes required
Product or Bank No Issue
Service Non-Bank Non-Bank may not be fully aware of existing legal
Designing requirements. This issue may be resolved by making
bank responsible for the product legality no matter who
designs it in the first place.
Product Bank / Non-Bank No issue.
Marketing
A/c Opening Bank No issue.

However, to extend outreach to lower strata of society a

risk based approach to CDD requirements should be
followed. Various account types may be introduced each
requiring a different level of KYC/AML screening.
Transaction volume/turnover limits may vary for each
account type. Technology at the back-end should be
capable of online monitoring of these limits to avoid any
breaches.
By Retail Outlet but May led to compromised KYC requirements. Retailers
ultimately verified may open account without actually ever meeting their

18
Negative growth of ATM only cards is due to the fact that these cards are being replaced either by debit cards or
credit cards.

SBP 8 BPRD
 DRAFT: POLICY PAPER ON REGULATORY FRAMEWORK FOR MOBILE BANKING IN PAKISTAN

Function/Role: Performed By: Legal Issues and changes required

by bank customer. Even when necessary ID documents are
attached to the A/C opening form, the actual person may
not know that an a/c has been opened in his/her name.
Guidelines for “Selecting Banking Correspondents/
Agents” should be issued prior to allowing this activity
Balance Bank through retail Adequate guidelines to ensure customer privacy be
enquiry channels / Mobile issued and adherence of all players to these guidelines
phones, POS must be ensured.
Cash Deposits / Bank at its branches No issue
Withdrawals / ATM locations
Person to person In this model, to affect a deposit to his account, a mobile
a/c holder (A) may approach some store/retailer (B)
(also treated as just another a/c holder). A passes on
some cash to B, who in turn, transfers an equivalent
amount (possibly after deducting some agreed service
charges) from his (B’s) account to A’s a/c. Both parties
get SMS from the bank confirming the transaction.
Reverse of this process may be executed to affect a cash
withdrawal. These types of transactions facilitate
deposit/withdrawal of funds without being defined as
deposit taking activity.
Banking Guidelines for “Selecting Banking Correspondents”
Correspondents should be issued prior to allowing this activity
For both person-to-person as well as agent based
transactions, nature / extent and volume of transactions
must be decided beforehand by the regulators specifying
volume and turnover limits on each type of transactions.
Money Bank at its No issue as both sender and recipient of funds are
Transfers branches/ATM account holders and the transactions are subject to
(person to locations or through AML/CFT guidelines.
person, person mobile phone
to business and Banking Guidelines for “Selecting Banking Correspondents”
vice versa). Correspondents should be issued prior to allowing this activity
Lending All Key activities No specific issues related to lending activities arise as
Activities like product the banking correspondents’ role is reduced to deposit/
designing, customer withdrawal/fund-transfer activities which are separately
acquisition, credit discussed above.
documentation and
initiation etc. are Further, there is no harm in taking input in product
done by the bank design from non-bank partners (who may have greater
and correspondents knowledge of the target customers) as long as final
are used only for responsibility lies with the bank.
disbursement and
collection of funds.

SBP 9 BPRD
 DRAFT: POLICY PAPER ON REGULATORY FRAMEWORK FOR MOBILE BANKING IN PAKISTAN

Function/Role: Performed By: Legal Issues and changes required

Correspondents are Banks should be held responsible for all activities
involved in lending undertaken by the correspondents. They may be required
activities like to sign proper agency agreements with the banking
marketing, customer correspondents involved in lending activities in line with
identification, loan the relevant guidelines and may be required to impart
documentation, necessary training to the correspondents’ staff before
disbursement etc. undertaking these services.

Nonbank-Led Model:
In this model, customers do not deal with a bank, nor do they maintain a bank account. Instead,
customers deal with a Non-Bank firm—either a mobile network operator or prepaid card issuer—
and retail agents serve as the point of customer contact. Customers exchange their cash for e-
money stored in a virtual e-money account on the non-bank’s server, which is not linked to a
bank account in the individual’s name.

This model is riskier as the regulatory environment in which these non-banks operate in Pakistan
does not give much importance to issues related to customer identification, which may lead to
significant AML/CFT risks. Bringing in a culture of KYC to this segment will be a major
challenge. Further the non-banks are not much regulated in areas of transparent documentation
and record keeping which is a prerequisite for a safe financial system. Regulators also lack
experience in the realm. For these reasons, allowing nonbank-led model to operate will be an
unnecessarily big leap and an unjustifiably risky proposition. However this model may be
allowed at a later stage after we have sufficient experience in mitigating agent related risks using
bank led model and need to think about mitigating only e-money related risks.

To mitigate the e-money risks (which are peculiar to Nonbank-Led model only), necessary
changes in the existing regulations are required. So, for implanting this model we should start by
bringing Non-Banks under financial-regulatory net by giving these entities special status of some
sort of quasi-bank/remittance agent etc. Grant of this status should depend upon meeting pre-
specified standards of transparency, financial strength and liquidity. There should be clear, well-
defined limits on nature, type and volume of transactions that such entities can undertake. To
avoid insolvency, these entities may be required to deposit their net e-banking surplus funds with
scheduled banks meeting certain minimum rating criteria. They should also be told to follow clear
guidelines for AML/CFT and to establish a well-defined and efficient complaint redressal
mechanism.

Specific Changes Needed in Existing Regulations

Banking Companies Ordinance 1962 (BCO)
As long as the mobile banking activities are performed by a banking company (Bank-focused or
bank led), BCO is not violated. No change may, therefore be required in the BCO. On the other
hand, Nonbank-Led model clearly violate the BCO as in that case Non-Banks would be accepting
‘repayable’ deposits. If we like to pursue Nonbank-led model, we should find a way to grant the
Non-Banks some specific status to avoid their classification as a banking company. A similar

SBP 10 BPRD
 DRAFT: POLICY PAPER ON REGULATORY FRAMEWORK FOR MOBILE BANKING IN PAKISTAN

workaround was found in Philippine by according Globe Telecom and SMART a rather loosely
defined status of “Remittance Agent”19. In Pakistan, Microfinance Institutions Ordinance, 2001
also defines Microfinance Institution as a deposit taking entity which is not a Banking
Company20. The banks may be allowed to establish banking agent relationships with other
market participants (Telcos/others) after issuing specific guidelines in this regard.

Prudential Regulations
If the bank-led model is followed, prudential regulations relating to ‘Know Your Customer
(KYC)’, ‘Anti Money Laundering (AML)’ and ‘undertaking of cash payments outside the bank’s
authorized place of business’ need modifications.

Regulations M-1 (KYC) and M-2 (AML) describe ‘the minimum identification / introduction
requirements for taking in a new customer’ and ‘measures to safe guard against Money
Laundering activities’ respectively. To facilitate rapid take-off of mobile banking and to extend
its outreach to the unbanked communities, we may consider adopting a risk-based KYC system
where identification requirements vary according to the nature of account operations. Accounts
with restricted transaction volume/turnover limits should have lower KYC requirements.
Similarly, requirements for ascertaining customer’s status and his source of earnings (M-2(b))
may be relaxed for these restricted accounts. Microfinance Institutions are already allowed to
extend micro-credit by establishing identity through other appropriate means in far-flung and
remote areas where people, particularly women, don’t have identity cards21. Appendix-2 presents
reduced AML / KYC requirements as adopted by other countries to extend financial services
outreach.

Regulation O-1 allows banks to facilitate cash withdrawals through authorized merchant
establishments at various point of sale (POS) upto a maximum limit of Rs. 10,000. This
regulation may be modified to include cash deposit facilitations upto a certain maximum limit
(not exceeding the per transaction limit of that particular account holder) using similar
arrangements.

In case the mobile banking activities are performed under a Nonbank-led model, these Non-
Banks should first be given some special status and then either a special set of prudential
regulations specific to them be framed or modification in existing prudential regulations be made.

19
Bangko Sentral ng Pilipinas. 2004. “Circular 471, Section 3.” Bangko Sentral ng Pilipinas.
(http://www.bsp.gov.ph/regulations/regulations.asp?type=1&id=116)
20
Microfinance Institutions Ordinance, 2001 Sections 2 and 3.
21
Prudential Regulations No. 17 for microfinance banks/institutions
(http://www.sbp.org.pk/publications/prudential/micro_prs.pdf)

SBP 11 BPRD
 DRAFT: POLICY PAPER ON REGULATORY FRAMEWORK FOR MOBILE BANKING IN PAKISTAN

Broad steps needed for implementing various models of branchless banking are summarized in
Table 4.

Table 4: Regulatory Steps Needed to Implement Various Models of Branchless Banking

Model Regulatory Steps Needed for Implementation
Bank-Focused 1. No specific steps are needed. Necessary requirements to mitigate risks
(Additive) posed by this model (w.r.t. customers’ privacy and data security etc.) are
Model in place and banks are bound to comply with the same. However, it
would be prudent to issue mobile banking guidelines related to customer
privacy, transaction security and complaint redressal.

Bank Led 1. Mobile Banking Guidelines for Banks should be issued. These guidelines
Model should include minimum requirements for;
a. Setting up Grievance Redressal Function
b. Security of the Transaction Processing and Recording System
c. Customer Relationship levels (transaction and turnover limits for
various account types)
d. Risk-Based Customers Due Diligence (CDD) Requirements
2. Agent assisted mobile banking services may be allowed after;
a. Making banks fully liable for actions of their agents.
b. Giving regulators power to review agents’ record of bank-related
transactions. And after
c. Issuing guidelines for;
• Selecting Banking Correspondents/Agents.
• Cash deposit and withdrawal operations using agents.
• Lending operations using agents.
Nonbank Led 1. Non-banks should be brought under financial regulatory net by giving
Model these entities special status of some sort of quasi-bank/remittance agent
etc. This may be done either by amending BCO or by enacting some
special law.

2. Law should define;

a. Supervisory structure for such entities. If more then one supervisor
are involved (SBP/PTA/SECP), clear division of authorities and
responsibilities should be made.
b. Minimum requirements w.r.t transparency, financial strength and
liquidity for obtaining this status.
c. Permissible activities for such entities (clear, well-defined limits on
nature, type and volume of transactions)
d. Requirement to deposit net e-banking surplus funds of such entities
with scheduled banks meeting certain minimum rating criteria.
3. Supervisory agency defined under law (preferably SBP) should issue
specific guidelines covering various aspects of the business especially,
AML/CFT, customer privacy, data security, disaster recovery and
business continuity, risk management and complaint redressal etc.

SBP 12 BPRD
 DRAFT: POLICY PAPER ON REGULATORY FRAMEWORK FOR MOBILE BANKING IN PAKISTAN

Roadmap for Extending Financial Services Outreach

Prudence demands a careful, step by step approach to ensure success in extending financial
services outreach to the un-banked/under-served people. Identification of a clear roadmap is
necessary. Important milestones of such road map are suggested here which may be adopted after
necessary improvements, especially from the business and marketing perspective. We may also
look into the possibility of running a pilot project in some specific region/city or through some
specific players (e.g. microfinance banks who will be more suited to deal with the low balance
accounts). Desired timeframe for achieving each milestone and the fallback options for undesired
eventualities may also be decided.

1. Bank Led model be allowed for deposit/withdrawal/ fund-transfer activities.

a. Banks be made fully liable for all mobile banking activities
b. Guidelines for Mobile Banking and for Agent-assisted Banking be issued.
c. Efforts be made to bring down transaction costs.

2. Banks / Institute of Bankers in Pakistan (IBP) or other private parties be motivated

to offer low-cost trainings to banking correspondents in the areas of;
a. General Mobile banking Services
b. Consumer lending
c. Microfinance
d. Agricultural lending etc.
3. Lending Activities be added to the mobile banking (Relevant Guidelines be updated
to include lending activities).
4. Nonbank-led model be allowed for deposit/withdrawal and payments for
services/purchases only.
a. Regulatory Structure to license quasi-banks to conduct specific limited subset of
banking activities be put in place.
b. E-money law be put in place.
c. Supervisory responsibilities for these quasi-banks be defined.
d. Guidelines for quasi-banks be issued.

5. Range of financial services performed by quasi-banks be widened gradually to

include person-2-person fund transfers after they get some experience in AML/CFT.

Conclusion
Bank-Focused model, though less risky, does not offer much when it comes to extending
financial service outreach to the poor and unbanked. Both Bank-Led and Nonbank-Led Models
offer a greater potential to achieve this objective. These models, however, vary in their potential
as well as risks. The decision as to which model must be adopted should be made after
carefully weighing the risk-return tradeoff. A careful approach may be adopted to start
with the less risky bank-led model and gradually adding more options as the players and
stakeholders become more experienced. Once a model of branchless banking is decided
upon, work towards creating an enabling regulatory environment for implementation of
that model should start. Many components of such an environment are already in place if

SBP 13 BPRD
 DRAFT: POLICY PAPER ON REGULATORY FRAMEWORK FOR MOBILE BANKING IN PAKISTAN

bank-led model is adopted. However, Clear guidelines regarding various aspects of allowable
activities should be issued to avoid uncertainties. Further, a forceful eradication of any unlawful
and unauthorized services and offerings (generally provided by unlicensed players) - which may
sprout up - is a must to promote and safeguard the interest of genuine players (who will be
investing in the new technologies) and the overall system.

References
1. Lyman, T, Ivatury & Staschen (2006) “Use of Agents in Branchless Banking for the Poor:
Rewards, Risks, and Regulation”, CGAP Fosus Note No 38
(www.cgap.org/portal/binarycom.epicentric.contentmanagement.servlet.ContentDeliverySe
rvlet/Documents/FocusNote_38.pdf)
2. Kumar, Anjali, Ajai Nair, Adam Parsons, and Eduardo Urdapilleta. 2006. “Expanding Bank
Outreach through Retail Partnerships: Correspondent Banking in Brazil.” World Bank
Working Paper No. 85.
(http://siteresources.worldbank.org/INTTOPCONF3/Resources/363980Retail0p101OFFICI
AL0USE0ONLY1.pdf.)
3. Porteous, D (2006) “The Enabling Environment for Mobile Banking in Africa”, Report
commissioned by DFID,
(www.bankablefrontier.com/assets/ee.mobil.banking.report.v3.1.pdf)
4. Retail Payment Systems of Pakistan, 1st Quarterly Report FY2006-07, Payment Systems
Department, State Bank of Pakistan
5. 2004. “Survey of developments in electronic money and internet and mobile payments.”
Basel, Switzerland: Bank for International Settlements.
(http://www.bis.org/publ/cpss62.pdf.)

We welcome your comments and suggestions on the draft policy paper.

Please send/email your comments to:

Ali Asad Muhammad Javaid Ismail

Assistant Director OR Joint Director
ali.asad@sbp.org.pk javaid.ismail@sbp.org.pk
Banking Policy & Regulations Department,
5th Floor, State Bank of Pakistan, Main Building,
I. I. Chundrigar Road, Karachi

SBP 14 BPRD
 DRAFT: POLICY PAPER ON REGULATORY FRAMEWORK FOR MOBILE BANKING IN PAKISTAN

Appendices
Appendix 1: Banking Risks Relevant to Agent-assisted Branchless
Banking Models22.

Credit risk. Credit risk, simply stated, is the risk that one party to a financial transaction will not
receive the money he or she is owed when it is due. When banking transactions do not settle
immediately, and when additional parties are interposed between the customer and the bank,
opportunities for credit risk multiply. For example, when a customer makes a deposit at a bank
branch, she receives a deposit receipt immediately and can be fairly certain that the funds will be
credited to her account and will be available for withdrawal when desired (assuming the bank is
solvent and liquid). But when a customer makes a deposit into her bank account through a retail
agent, even if she receives a receipt immediately, she bears the risk that the transaction is not
communicated to the bank. Her account may not be credited. On the other hand, when the retail
agent processes a cash withdrawal for a customer, it is the retail agent who takes credit risk—the
risk that the bank won’t reimburse him the cash he disbursed from his till. Institutions face credit
risk with agent-assisted branchless banking whenever they must collect customer deposits or
payments from their retail agents. Obviously, they also face credit risk whenever they decide to
grant a customer a loan, and this latter form of credit risk may be enhanced in the agent assisted
branchless banking context if the bank has outsourced some or all aspects of loan underwriting or
collection to its retail agents.

Operational risk. Operational risk refers to potential losses resulting from “inadequate or failed
internal processes, people and systems or from external events.” For banks and Non-Banks that
use retail agents and rely on electronic communications to settle transactions, a variety of
potential operational risks arise. For example, customers or retail agents could commit fraud, or a
bank’s equipment or other property could be stolen from a retail agent’s premises. Financial loss
for banks or Non-Banks (and also potentially for customers) can also occur from data leaks or
data loss from hacker attacks, inadequate physical or electronic security, or poor backup systems.
Anecdotal evidence from Brazil, which has the longest track record with agent-assisted
branchless banking, suggests that operational risk is significant. Banks in Brazil have reported
losses because of retail agent fraud and robberies, which reportedly occur with great predictability
when word gets around that a particular agent is handling an increased volume of cash.

Legal risk. Financial service providers will invest in a new delivery model only if they can
predict and manage how relevant laws, regulations, and legal agreements will be applied and
enforced, and how these things may change over time. In the countries studied, the banks and
Non-Banks involved undoubtedly devoted significant effort to researching the relevant laws and
regulations before investing in agent-assisted branchless banking approaches, and in most cases,
they also consulted with regulatory authorities to understand better how authorities were likely to
apply existing rules to the new model. But because regulators have had little experience with both
models and are still adjusting existing rules to address them (or have yet to begin this process),
22
(Lyman, et al. 2006)

SBP 15 BPRD
 DRAFT: POLICY PAPER ON REGULATORY FRAMEWORK FOR MOBILE BANKING IN PAKISTAN

some level of legal and regulatory uncertainty and ambiguity for both the banks and Non-Banks
(and to a lesser extent also for retail agents) remains. Once a model becomes widely used in a
country, these uncertainties and ambiguities could take on a systemic dimension if, for example,
several banks with significant operations conducted through retail agents suddenly face an
unfavorable interpretation that challenges their authority to transact business through retail agents
or the enforceability of related legal agreements.

Liquidity risk. Retail agents - especially those that are relatively small, unsophisticated and
remote - may not have enough cash to meet customers’ requests for withdrawals and may lack
experience in the more complex liquidity management required for offering financial services. To
manage liquidity effectively, retail agents must balance several variables, including turnover of
cash, ease of access to the retail agent’s bank account, and processing time of transactions, among
others.

Reputation risk. When retail agents underperform or are robbed, banks’ public image may suffer.
Many operational risks mentioned (such as the loss of customer records or the leakage of
confidential customer data) also can cause reputation risk, as can liquidity shortfalls in the retail
agent’s cash drawer. The prospects for damage to the financial institution’s reputation from
problems of this sort should not be underestimated, because many retail agents may be
inexperienced in providing financial services, may not be accustomed to maintaining adequate
cash to settle customer withdrawals, and may lack the physical security to protect the increased
levels of cash they will have on hand if things are going well. Moreover, reputation risk can
spread from one bank or Non-Bank to another and take on systemic dimensions. In South Africa,
mobile phone banking providers expressed concern that if even one young initiative failed, it
could jeopardize customers’ trust in the entire mobile phone banking business.

Consumer protection, including resolution of consumer grievances. Obviously, any of the

foregoing categories of risk triggers consumer protection concerns if the resulting loss falls on
customers. Use of retail agents may also increase the risk that customers will be unable to
understand their rights and press claims when aggrieved. Customers are protected against fraud
by laws and regulations in the countries studied. But it is not always clear to customers how they
will be protected against fraud when they use retail agents to conduct financial transactions. For
instance, it might not be obvious whether customers should hold the bank or its retail agents liable
if they suffer a loss. Poor, remote, or marginalized people may find it particularly difficult to
understand their rights and to press a claim through a court or through the bank’s own claims
resolution mechanisms.

Anti-money laundering and combating financing of terrorism (AML/CFT). Whenever account

opening and transaction processing is outsourced to retail agents, AML/CFT regulations generally
require agents to conduct some aspects of customer due diligence and suspicious transaction
reporting. The bank bears the risk that customers are improperly identified and that they use the
retail agent to launder money or channel funding to terrorists (with or without the retail agent’s
knowledge or complicity). Outsourcing account opening and retail transaction processing to what
may be unsophisticated retail agents also may make it difficult for the bank to observe and report
suspicious transactions.

SBP 16 BPRD
 DRAFT: POLICY PAPER ON REGULATORY FRAMEWORK FOR MOBILE BANKING IN PAKISTAN

Appendix 2: Balancing AML/CFT/Customer Identification

Requirements and Access to Financial Services for the Poor23.
In many cases, poor customers lack certain documentation—such as identification cards or proof
of residence—that is necessary to comply with AML/CFT customer identification requirements.
AML/CFT precautions increase costs and, thus, may discourage providers from serving smaller
clients. There is a compelling argument that, below certain thresholds, risks for low-value
transactions and accounts aren’t serious enough to require full-scale AML/CFT measures. Some
of the countries studied have amended the rules for low-value transactions or accounts, to strike a
balance between the need for effective AML/CFT regulation and the need to ensure poor
customers are not excluded from access to financial services as a result.

In South Africa, banks and money transfer companies are not required to obtain and verify a
customer’s income tax registration number and residential address, provided that certain
requirements are met (transactions limited to approximately US$800 per day and approximately
US$4,000 per month; maximum account balance of approximately US$4,000 at any time; no
international transfers, with limited exceptions). However, institutions must still obtain and verify
a customer’s full name, date of birth, and identity number, using an official identity document for
verification. Because approximately 1.5 million eligible South Africans lack such an identity
document, the rules still exclude many low-income people from financial services.

In India, the central bank has emphasized that AML/CFT requirements should not limit poor
customers’ access to financial services. For all accounts, identity and address requirements can be
met through documentation such as ration cards or letters from public authorities or employers. In
addition, for certain low-value accounts (maximum account balance of approximately US$1,100;
maximum total annual credit of approximately US$2,300), prospective customers lacking
necessary documentation can be introduced by another customer in good standing who was
subjected to full “know your customer” procedures and who can confirm the prospective
customer’s address. Alternatively, for these low-value accounts, banks can accept any form of
documentation that satisfies them as to the identity and address of the customer.

In Brazil, poor customers must meet the same identification requirements as any other customers.
However, customers may open low-value accounts (generally, maximum balance of
approximately US$500) using records provided by the National Social Security Institute, as long
as all of the necessary identification information is contained in these documents. In addition,
customers may temporarily open a low-value account using only their Social Identity Number,
but full documentation must be provided within six months, or the account will be closed. This
gives agents operating in remote areas more time to submit the required information.
Sources: Amended Exemption 17 to the Financial Intelligence Centre Act (November 1, 2004), http://www.fic.gov.za/info/Revised%20exem
ption%2017%20+%202nd%20reporting%20exemption.pdf; Genesis Analytics Ltd., Legislative and Regulatory Obstacles to Mass Banking,
p. 54, http://www.finmark.org.za/documents/2003/SEPTEMBER/MassBanking.pdf; Circular RBI/2004-05/284, “Know Your Customer” (KYC)
Guidelines—Anti Money Laundering Standards, pp. 6 and 15 (November 29, 2004), http://www.rbi.org.in/scripts/BS_CircularIndexDisplay.
aspx?Id=2039; Resolution 3,211, http://www.bcb.gov.br/?BUSCANORMA (in Portuguese; English copy on file with authors).

23
(Lyman, et al. 2006)

SBP 17 BPRD